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This post is the first in a series of posts that focus on the global proliferation and use of Hacking Team 's RCS 
spyware, which is sold exclusively to governments. 

Read the report's coverage in the Washington Post and watch PostTV's video . 
See the report on Washington Post's front page , [pdf] 

Read the second report in the series, " Mapping Hacking Team's "Untraceable" Spyware ". 
Read the third report in the series, " Hacking Team's US Nexus ." 



SUMMARY 

• Ethiopian Satellite Television Service 1 (ESAT) is an independent satellite television, radio, and online 
news media outlet run by members of the Ethiopian diaspora. The service has operations in 
Alexandria, Virginia, as well as several other countries.- ESAT's broadcasts are frequently critical of 
the Ethiopian Government. Available in Ethiopia and around the world, ESAT has been subjected to 
jamming from within Ethiopia several times in the past few years.- A recent documentary shown on 
Ethiopian state media warned opposition parties against participating in ESAT programming.- 

• In the space of two hours on 20 December 2013, an attacker made three separate attempts to target two 
ESAT employees with sophisticated computer spyware, designed to steal files and passwords, and 
intercept Skype calls and instant messages. The spyware communicated with an IP address belonging 
to Ariave Satcom, a satellite provider that services Africa, Europe, and Asia.- In each case, the 
spyware appeared to be Remote Control System (RCS), sold exclusively to governments by Milan- 
based Hacking Team.- 
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• Hacking Team states that they do not sell RCS to "repressive regimes",- and that RCS is not sold 

o 

through "independent agents".- Hacking Team also says that all sales are reviewed by a board that 
includes outside engineers and lawyers. The board has veto power over any sale.- Before authorizing a 
sale, the company states that it considers "credible government or non-government reports reflecting 
that a potential customer could use surveillance technologies to facilitate human rights abuses," as well 
as "due process requirements" for surveillance.— 

• The Committee to Protect Journalists (CPJ) reports that Ethiopia jails more journalists than any other 
African country besides Eritrea, and says that the Ethiopian government has shut down more than 
seventy- five media outlets since 1993.— CPJ statistics also show that seventy-nine journalists have 
been forced to flee Ethiopia due to threats and intimidation over the past decade, more than any other 
country in the world.— A 2013 Human Rights Watch (HRW) report detailed ongoing torture at 
Ethiopia's Maekelawi detention center, the first stop for arrested journalists and protests organizers. 
Former detainees described how they were "repeatedly slapped, kicked, punched, and beaten," and 
hung from the ceiling by their wrists. Information extracted in confession has been used to obtain 
conviction at trial, and to compel former detainees to work with the government.— HRW also indicated 
abuses committed by the army, including the use of torture and rape to compel information from 
villagers near the site of an attack on a farm.— HRW noted "insufficient respect for . . . due process" in 
Ethiopia.— 



BACKGROUND 

Hacking Team and Remote Control System (RCS) 

Hacking Team, also known as HT S.r.l., is a Milan-based purveyor of "offensive technology" to governments 
around the world. One of their products, known as Remote Control System (RCS), is a trojan that is sold 
exclusively to intelligence and law enforcement agencies worldwide. Hacking Team's website describes the 
product as "the solution" to monitor targets that are increasingly using encryption, or those located outside the 
borders of the government that wants to monitor them.— 
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Go stealth 

and 

ntraceable. 



Remote Control System is totally invisible to the target. 
Our software bypasses protection systems such as antivirus, 
antispyware and personal firewalls. 



Remote Control System gathers a variety of information 
from target devices. 



Defeat 

cryption and 

acquire relevant Encrypted voice Relationships » i 

^ M Target location Web browsing £^ 

Messaging Audio & Video Spy # ° 



data. 




our target. 



Attack your target either remotely or locally using several installation vectors. 
Do that while the target is browsing the internet opening a document file, 
receiving an SMS or crossing the borders with his laptop. 



Description of RCS in a 2011 official brochure.— 

RCS infects a target's computer or mobile phone to intercept data before it is encrypted for transmission, and 
can also intercept data that is never transmitted. For example, it can copy files from a computer's hard disk, 
and can also record Skype calls, e-mails, instant messages, and passwords typed into a Web browser.— 
Furthermore, RCS can turn on a device's webcam and microphone to spy on the user.— 

While Hacking Team claims to potential clients that RCS can be used for mass surveillance of "hundreds of 
thousands of targets,"— public statements by Hacking Team emphasize RCS's potential use as a targeted tool 
for fighting crime and terrorism.— 

Hacking Team was first thrust into the public spotlight in 2012 when RCS was used against award- winning 

22 

Moroccan media outlet Mamfakinch,— and United Arab Emirates (UAE) human rights activist Ahmed 
Mansoor, who was pardoned— after serving seven months in prison for signing an online pro-democracy 

24 25 

petition.— Mansoor was infected, his Gmail password was stolen, and his e-mails were downloaded.— At the 
same time, RCS is apparently being used by foreign governments to target individuals on US soil.—'— 

Evidence of the use of RCS against journalists and activists led Reporters Without Borders to name Hacking 
Team as one of the five "Corporate Enemies of the Internet."— Hacking Team Senior Counsel Eric Rabe 
responded with a defense of his company's sales practices, in which he stated that Hacking Team does not 
provide its products to "repressive" regimes.— 

On the issue of repressive regimes, Hacking Team goes to great lengths to assure that their software is not 
sold to governments that are blacklisted by the EU, US, NATO, and similar international organizations, or to 
any ''repressive " regime. 

"Repressive" is a subjective term that may be difficult to define. We instead look to a selection of publications 
that rank countries based on freedom and democracy using a methodology. For example, The Economist 
publishes a Democracy Index,— which rates governments around the world on a spectrum from "full 
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democracies" to "authoritarian regimes." Reporters Without Borders also publishes a yearly Press Freedom 

3 1 

Index, which ranks countries' press freedom situations from "good" to "very serious."— 



Ethiopia and Ethiopian Satellite Television Service (ESAT) 



The Economist ranks Ethiopia as an "authoritarian regime," and Reporters Without Borders classifies it as a 
country that presents a "difficult situation" for journalists. Human Rights Watch calls Ethiopia's press law 
"deeply flawed," and notes that several award- winning journalists have been convicted under the law for 
exercising their right to freedom of expression, as part of a government crackdown on independent media.— 

Journalists jailed under the press law includes Eskinder Nega, who was convicted of terrorism in 2012 in a 
case following the publication of his column that criticized the government's detention of journalists.— Nega 
won the 2012 PEN America Freedom to Write Award, and was hailed by the group as of the "bravest and 
most admirable of writers, one who picked up his pen to write things that he knew would surely put him at 
grave risk."— Nega is currently serving an eighteen year sentence in prison, having "[fallen] victim to exactly 

or 

the measures he was highlighting."— In a May 2013 letter from prison, he wrote, "I will live to see the light at 
the end of the tunnel. It may or may not be a long wait. Whichever way events may go, I shall persevere!"— 

ESAT describes itself as "powered by broad-based collective of exiled journalists, human rights advocates, 
civic society leaders and members in the Diaspora." Available in Ethiopia and around the world, ESAT's 

television and radio signals have been subjected to jamming from within Ethiopia several times in the past few 

37 

years.— 

Previous research by the Citizen Lab found a version of the FinFisher government spyware that used a picture 
of members of Ethiopian opposition group Ginbot 7 as bait, indicating politically-motivated targeting. That 
spyware communicated with a command-and-control server in Ethiopia.— 



FIRST TARGETING ATTEMPT 



First, the ESATSTUDIO Skype account was targeted with spyware. This account is used by ESAT for on-air 
interviews. The individual operating the ESATSTUDIO account at the time was an ESAT employee in 
Belgium, responsible for managing ESAT's satellite broadcasts. An individual identified as "Yalfalkenu 
Meches" (Skype: yalfalkenul) sent a file to ESATSTUDIO entitled "An Article for ESAT.rar." We use 
Skype logs provided by the targets to illustrate the attacks. 

Yalfalkenu Meches . An Article for ESAT.rar , 15:04 

_ - 1 ( Open file 1 

File received. Show in folder 

Please accept this artide 

Looking forward to hearing your comments 15:05 




This .rar file contained an .exe file disguised as a .pdf. The file used the Adobe PDF icon, and contained a 
large number of spaces between the name and extension, to prevent Windows from displaying the extension. 
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Adobe 



An Article for 
ESAT 



An Article for ESAT 



General 



Compatibility | Security | Details | Previous Versions 



X 




Type of file: 




Left: How the file was rendered in Windows; Right: Windows file properties dialog 

Despite the file's name, "An Article for ESAT," the file did not display any such article, or any other content, 
when opened. 

ANALYSIS AND LINK TO HACKING TEAM RCS 

Summary 

The file sent to ESAT appeared to be Hacking Team's RCS spyware for the following two reasons: 

• The file communicated with a server that returned two SSL certificates. The second certificate was 
issued by "RCS Certification Authority" / "HT srl", and was similar to SSL certificates returned by 
two other servers apparently owned by Hacking Team. The first certificate was similar to certificates 
returned by two other servers that appeared to be demonstration servers for Hacking Team's RCS 
spyware. 

• The file matched a signature that we had previously developed for RCS spyware. 
Detailed Analysis 

The hash of the file was: 

sha256: 4a53db7b98aa000aeaa72d6a44004ef9ed3b6c09dd04a3e6015b62d741de3437 shal : 
b7438e699dd54f8b56fc779clb8b08bl943d9892md5: 53a9elb59ff37cc2aeff0391cc546201 

Shortly after opening the .exe file, it attempted to communicate with the server 46.4.69.25 on port 80. 



inetnum: 46.4.69.0 - 46.4.69.31 netname: 
Datacenter 14 country: DE 



HETZNER-RZ 1 4 descr: 



Hetzner Online AG descr: 



We probed the server and noticed that it returned two self-signed SSL certificates: 



39 




Fingerprint 
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/CN=default 


/ClV=<\Prvpr 


a7c0eacd845a7a433eca76f7d42fc3fedf1 hde3c 


/CN=RCS Certification 
Authority /0=HT srl 


/CN=RCS Certification 
Authority /0=HT srl 


6500c2430 1 5a6ecc59f 1 272fec3 8eb0065d22063 



The second certificate is issued by "RCS Certification Authority" / "HT srl". 




Issued To 

Common Name (CN) RCS 

Organization (O) <Not Part Of Certificate> 

Organizational Unit (OU) <Not Part Of Certificate> 

Serial Number 01 

Issued By 

Common Name (CN) RCS Certification Authority 

Organization (O) HT srl 

Organizational Unit (OU) <Not Part Of Certificate> 



Hacking Team refers to their spyware as "RCS," and identifies itself as "HT S.r.l." on its website: 



Copyright ©2013 




Via della Moscova L3 2012L - Milano - Italy 



To confirm our hypothesis that these certificates were associated with Hacking Team, we searched historical 
SSL certificate data released by the Internet Census— (443-TCP_SSLSessionReq) and by the University of 
Michigan's zmap project.— We found two servers returning the "RCS Certification Authority" / "HT srl" 
certificate that were in the following range: 

FASTWEB-HT descr: HT public subnet 



inetnum: 93.62.139.32 - 93.62.139.47 netname: 

country: IT 

person: GIANCARLO RUSSO address: VIA DELLA MOSCOVA 13 address: 

address: IT phone: +39 0229060603 



MILANO MI 



The address and phone number on the range matches those on Hacking Team's website. A Giancarlo Russo is 
listed as the Chief Operating Officer of Hacking Team on Linkedln.— Thus, we believe that Hacking Team 
controls this range of IP addresses. 
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The two servers in this range that returned similar certificates to the server in the ESAT spyware were: 



93.62.139.39 on 6/28/2012: 



Issuer 


Subject 


Fingerprint 


/CN=RCS Certification 
Authority /0=HT srl 


/CN=rcs-castore 


deee895bflf68e97cb997d929e0f991ecec6ab29 


/CN=RCS Certification 
Authority /Q=HT srl 


/CN=RCS Certification 
Authority /0=HT srl 


Ie8e8806aa605544cda2bbb906b5d0cc7fb6iff7 



93.62.139.42 on 8/12/2012: 



Issuer 


Subject 


Fingerprint 


/CN=RCS Certification 
Authority /0=HT srl 


/CN=rcs-polluce 


277fdf33df7baca54ce8336982db865d9f38f514 


/CN=RCS Certification 
Authority /0=HT srl 


/CN=RCS Certification 
Authority /0=HT srl 


e8d5fl7dl42768abe2ed835d5a61d99602ab082b 



Because these IP addresses were registered to Hacking Team, we believe that the presence of a certificate 
apparently issued by "RCS Certification Authority" / "HT srl" is indicative of a server for Hacking Team's 
RCS spyware. The Internet Census (443-TCP_SSLSessionReq) also recorded two instances of a server 
returning a certificate that matched the "default" / "server" certificate returned by the server in the ESAT 
spyware, along with an incomplete certificate for "rcs-demo.hackingteam.it." This server was used by an RCS 
spyware sample found in VirusTotal.— This certificate was returned by 168.144.159.167 on 12/14/2012, and 
by 94.199.243.39 on 12/14/2012. This is a further indication that the server in the spyware targeting ESAT is a 
Hacking Team RCS server. 

The file itself also matched a signature we had previously developed for RCS spyware. 

SECOND ATTEMPT 

The target did not open the first file ("An Article for ESAT.exe"), and complained to Yalfalkenu that the file 
was an .exe application. Yalfalkenu responded that he had received the file from a friend. 
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ESAT^TUDIO 


this not an article 


15:07 




it is an application r i will not open it 


15:07 


yalfalkenu Meches 


application? 


15:07 




what do you mean? 


15:07 


ESATSTTJDIO 


check it yourself by unzipping it 


15:03 


valfalkenu Meches 


It is a pdf article 


15:03 


ESATETUDIO 


no 


15:03 




it is =./exe file 


15:03 




if it is pdf r why do you send it: as zip file? 


15:03 


valfalkenu Meches 


Let me check that 


15:09 


ESATSTTUDIO 


if you got it from another person r becarefull 


15:09 




donot double dick and run it 


15:09 


yalfalkenu Meches 


Yeah I got it from a friend r but I actually read its word version rom him 


15:10 




K from 


15:10 




ok thanks 


15:10 



Yalfalkenu also said that he opened the .exe file and it "worked fine." However, despite the file's name, "An 
Article for ESAT," the file did not display any such article, or any other content, when opened. 



valfalkenu Medies got it 15:23 

but it worked fine for me 1 5 : 24 

I double clicked it before I sent it to you r it worked fine 15:25 

Anyhow I will send the word version for you 15: 25 

later 15:25 



Yalfalkenu followed up by sending ESATSTUDIO a Word document. 

ESATSTUDK if it is a word file it should have extension like ,doc or .docx 

not .exe 

the file that you end me has a file name like An Article for ESAT 
■ exe 

sent for me9 

yalfalkenu Me^es gj^ An Artj de for Esat. doc 

1=^1 File received. Show in folder 

got u. What you said makes sense 
I got the doc file. Accept it 

Analysis and Link to Hacking Team RCS 

The Word document was: 

sha256: 5bde4288cl If0701b54398ffeeddb4d6882d91b3e34bf76ble250b8fc46bel Id shal: 
057675f8dfda0f44a695ecl8a5211ff4e68al873 md5: 8df850088e2324d5c89615be32bd8a35 

8 



L5:27 
15:27 
15:23 

15:23 
15:30 

( Open file ) 

15:31 
15:32 
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As with the previous file, opening this file did not result in any bait content being displayed. A user who 
opened the file saw a blank Word document, which quickly closed itself. 

The document exploited a bug in Microsoft Windows (CVE-2012-0158— ) to run a program that downloaded 
and executed a file: 216.118.232.254/svchst.exe. An update to Windows available since April 2012 fixes this 
bug.— The IP address 216.118.232.254 belongs to Ariave Satcom, a satellite provider that services Africa, 
Europe, and Asia.— 

Private Customer VSC-ARIAVE (NET-2 16- 118-232-0-1) 216.118.232.0 - 216.118.232.255 VSC Satellite Co. 
VSC-IPOWN1 (NET-2 16- 118-224-0-1) 216.118.224.0 - 216.118.255.255 

We downloaded svchst.exe: 

sha256: bc68c8d86f2522fb4c58c6f482c5cacb284e5ef803d41a63142677855934d969 shal: 

b341cclc299c07624814f35a35a4d505e65d3b67md5: 015c238d56b8657c0946ec45bl31362a 

Like the first file, the file communicated with 46.4.69.25. This file also matched our signature for RCS 
spyware. For the same reasons as the first file, this file appears to be Hacking Team RCS spyware. 



THIRD ATTEMPT 

4-7 

An hour and a half later on the same day,— Yalfalkenu targeted another ES AT employee, this time based in 
their Northern Virginia offices. 



nu Meches — , ^ Weyane Mender Wetu.doc f Open file" ) 

z ie received, show n folder — 



11:00 AM 



J 



Please Comment on this article 11:02 AM 



The document was: 



sha256: 8f9a6ae6aa56el2596d02c864998b4373a96d3f788195db3601b6e3ec54a99fb shal: 
C384ca066fe0145455fl4976c0ecf8a817a30f86md5: daa5912d4ca0e4al43378947ef329374 

Like the second file, the document also exploited the CVE-2012-0158 bug, but had two main differences. 
First, the document actually displayed bait content — a copy of this article .— Second, instead of downloading a 
file from a server, the document contained an embedded file, which it copied as CyHidWin.exe. We extracted 
the file and analyzed it: 

sha256: d30bc31d6ad75de20aa3a45d338298030dc9136ba94aee93b4843e279fa3d59c shal: 
4f8b2fl071870b9d03f3bb341cf9523b0574d8f6md5: c5cfalafd5d3148a0d33fcl940eala37 

As in the previous two files, the file communicated with 46.4.69.25. This file also matched our signature for 
RCS spyware. For the same reasons as the first two files, this file appears to be Hacking Team RCS spyware. 
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EPILOGUE 

After the first two targeting attempts, we alerted ESAT that Yalfalkenu Meches was trying to target them with 
spyware. On the third attempt,the targeted user confronted Yalfalkenu, who again professed that he had 
received the file from a friend. 

yalfalkenu Heches What the hel are you to king about? 1 : 32 AH 

I just shared an article I got from a friend! 1:32 AH 

Any thing wrong with that? .- 

Yalfalkenu also expressed puzzlement about how opening a Word document could infect a computer, and said 
that he was a victim. 

yalfalkenu Heches How can I be a vctiin by reading a mere word document L:37 AH 

u mean he sent me a spy^we P and I sent u that spyware? 1:36 AH 

We talked to employees of ESAT, who said that Yalfalkenu used to collaborate with them, but then he 
"disappeared for a while." It is possible that someone else is now using Yalfalkenu' s account. 

Links to Other Spyware 

Our scans indicated that the following other servers were likely being run by the same attacker that targeted 
ESAT, and were also likely Hacking Team RCS servers: 



IP 


First Seen 


1 

Last Seen 


1 

Provider 


Country 


109.200.22.160 


7/25/2012 


8/10/2012 


IDelamere Services 


UK 


109.200.22.161 


17/25/2012 


8/12/2012 


jDelamere Services 


UK 


109.200.22.162 


10/14/2012 


1/13/2014 


IDelamere Services 


UK 


109.200.22.163 


10/13/2012 


1/13/2014 


IDelamere Services 


UK 


176.74.178.45 


10/30/2013 


1/13/2014 


Infinite Dimension Solutions 


UK 


176.74.178.119 


7/25/2012 


8/12/2012 


Infinite Dimension Solutions 


1 

UK 


176.74.178.120 


7/25/2012 


8/12/2012 


i 

Infinite Dimension Solutions 


1 

UK 


176.74.178.202 


110/13/2012 


1/13/2014 


[infinite Dimension Solutions 


UK 


176.74.178.203 


10/18/2012 


1/13/2014 


llnfinite Dimension Solutions 


UK 
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46.166.162.147 


5/16/2013 

1 


8/11/2013 


ISantrex 


SC 


69.60.98.203 


5/16/2013 


[Active 


Serverpronto 


US 


216.118.232.245 


11/18/2013 


[Active 


Ariave Satcom 


?? 

• • 



We note that the "RCS Certification Authority" / "HT srl" SSL certificates returned by these servers were 
issued on 5/8/2012. Based on this date, we estimate that the attacker who targeted ESAT has been using 
Hacking Team's RCS spyware since May 2012, or earlier. 

We found the following sample in VirusTotal that matched our signature for Hacking Team RCS spyware. 
The sample used 46.166.162.147 as a command-and-control server. Thus, we believe the attackers were the 
same, though we have no indication as to who they may have targeted: 

sha256: 9577aabf5e31afl409e2abe8c29ac918d7f8784dec75b4088a60fce6a45e9fc7 shal: 
0e326c39c91efeffld045bec3c7e7c38405d0430md5: Cl7e788e28d47891f94c64739ee7fffb 

CONCLUSION 

In this report, we identified three instances where Ethiopian journalist group ESAT was targeted with spyware 
in the space of two hours by a single attacker. In each case the spyware appeared to be RCS (Remote Control 
System), programmed and sold exclusively to governments by Milan-based Hacking Team. While Hacking 
Team and other 'lawful intercept" spyware vendors purport to practice effective self-regulation, this case 
seems to be part of a broader pattern of government abuse of such spyware. "Lawful intercept" spyware has 
also apparently been abused to target Bahraini activists, Moroccan journalists, critics of the Turkish 
Government, and Emirati human rights activists. 
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